JP5270603B2 - Virtual environment data transfer system and virtual environment data transfer device - Google Patents

Description

  The present invention relates to a security management technique for a virtual environment, and more particularly to a virtual environment data transfer system and a virtual environment data transfer apparatus for transferring data in a virtual environment.

A virtualization technique that uses resources such as a processor and a memory constituting a computer system in a manner that is flexibly divided and integrated separately from a physical configuration has attracted attention.
For example, by virtualizing servers, you can reduce the number of physical servers, such as consolidating servers that have low utilization and low server performance into a single physical server, making effective use of resources and space available. Reductions and maintenance costs are expected. In addition, system expansion and configuration change are facilitated by virtualization, so that the configuration of available hardware resources can be dynamically optimized, and performance improvement is expected. For this reason, in recent years, companies that introduce virtualization technology are rapidly increasing.
In such a situation, there is a request to access a virtual machine constructed in a virtual environment from the outside (for example, see Non-Patent Document 1).

harada, How to access a virtual machine on VMWare Server from outside, [online], 2008/09/19/19, Nijimo Co., Ltd., nijimo Blog, [Search 2010/3/24], Internet <URL: http: / /blog.nijimo.jp/2008/09/19/19/ ＞

  In a virtual environment, you may want to separate a segment from a server and a virtual machine that runs virtually on that server. For example, for security reasons, it is desirable to separately manage a server belonging to a LAN (Local Area Network) that is not open to the user and a virtual machine that operates on the server and can be used by the user.

However, in the server function for the conventional virtualization environment, when displaying a screen of a virtual machine running on an unpublished server on a user terminal outside the private LAN, the server in the private LAN The external user terminal must be directly connected. This may cause an accident caused by a user's fraud or carelessness, which is not desirable from the viewpoint of security.
In particular, the management port for communicating management information that can have an important effect on servers in the private LAN is not separated from the data port for communicating data such as screens. This problem is significant when using a server that communicates both management information and data. That is, in this case, it is necessary to make the management port of the private server accessible from an external terminal for screen transfer only, which is a serious problem in terms of security.

  The present invention has been completed based on the above problems, and its main object is to provide a technique for enabling data transfer while restricting direct access between devices in a virtual environment. There is.

  In order to solve the above problems, a virtual environment data transfer system according to an aspect of the present invention includes a host server, a virtual machine operating on the host server, a data transfer server connected to the host server, and a data transfer server And a user terminal that transmits a data transfer request for requesting transfer of data created by the virtual machine to the data transfer server. The data transfer server acquires a first combination of an IP address and a port number from the header of the data transfer request, and acquires a header of a layer higher than the layer to which the header belongs from the payload of the data transfer request. Of the first combination acquired by the acquisition unit and the first acquisition unit, at least an IP address is converted into another IP address, so that a second combination of a fixed port number and another IP address is obtained For identifying one of a plurality of types of data that is included in the header of the upper layer acquired by the conversion unit that generates the data and that is included in the data transfer request The second acquisition unit that acquires the identification information of the data and the type of data corresponding to the identification information acquired in the second acquisition unit A transfer condition determination unit that determines whether or not a transfer condition for enabling is satisfied, and when the data type satisfies the transfer condition, the first combination included in the data transfer request is replaced with the second combination; A request transfer unit that transfers the data transfer request to the host server.

  Another aspect of the present invention is a virtual environment data transfer apparatus. This apparatus is a data transfer apparatus connected to a user terminal and a host server on which the virtual machine operates, and a request reception unit that receives a data transfer request for requesting transfer of data created by the virtual machine from the user terminal; A first acquisition unit that acquires a first combination of an IP address and a port number from a header of a data transfer request, and acquires a header of a layer higher than a layer to which the header belongs from a payload of the data transfer request; Conversion that generates a second combination of a fixed port number and another IP address by converting at least an IP address of the first combination acquired by the first acquisition unit to another IP address And the identification information included in the header of the upper layer acquired in the first acquisition unit, and in the data transfer request A second acquisition unit that acquires identification information for specifying any of a plurality of types of data that may be rare, and a data type corresponding to the identification information acquired in the second acquisition unit is configured to transfer a data transfer request. A transfer condition determination unit that determines whether or not a transfer condition for permitting is satisfied, and when the data type satisfies the transfer condition, the first combination included in the data transfer request is replaced with the second combination; A request transfer unit that transfers the data transfer request to the host server.

  It should be noted that any combination of the above-described constituent elements and a conversion of the expression of the present invention between a method, an apparatus, a system, a recording medium, a computer program, etc. are also effective as an aspect of the present invention.

  According to the present invention, it is possible to provide a technique for transferring data in a security-protected environment in a system in which virtualization is introduced.

It is a block diagram of the virtual environment data transfer system concerning an embodiment. It is a block diagram of the data transfer server concerning an embodiment. It is a figure which shows the virtual machine information table stored in the virtual machine information storage part of the environment management server concerning embodiment. It is a figure which shows the temporary address corresponding | compatible table stored in the temporary address memory | storage part of user LAN concerning embodiment. It is a figure which shows the host server real address table stored in the real address memory | storage part of the data transfer server of FIG. It is a flowchart which shows the procedure in which a screen query is transmitted from a user terminal to a virtual machine, and a screen is transferred from a virtual machine to a user terminal. It is a flowchart which shows the request transfer process of FIG.

First, an outline of the virtual environment data transfer system according to the embodiment will be described.
In the virtual environment data transfer system, a server in the management LAN that is not disclosed to the user and a virtual machine that runs on the server and is available from the user terminal are managed separately. For the user terminal, the actual address of the server in the management LAN (hereinafter also referred to as “real address”) and the real address of the virtual machine running on the server are not disclosed. Therefore, the user terminal cannot directly access a server in the management LAN or a virtual machine running on the server. Communication between the user terminal and the host server is relayed by the data transfer server.

The host name of the available virtual machine is disclosed on the user terminal.
When the user instructs the user terminal to acquire data from a certain virtual machine, the user terminal inquires and acquires the host name of the host server on which the virtual machine operates based on the host name of the virtual machine. To do. Based on the acquired host name, a temporary address (hereinafter also referred to as “temporary address”) assigned to each host server is acquired, and a data transfer request for requesting data transfer from the virtual machine is received. Send to address.
The temporary address is actually the address of the data transfer server, and when the user terminal transmits a data transfer request using the temporary address, the data transfer request is transmitted to the data transfer server.

When the data transfer server reads the type of data from the header of the packet received from the user terminal and determines that the data can be transferred to the host server, the data transfer server transfers the packet to the host server.
The data transfer server also transfers data sent from the virtual machine as a response to the user terminal.

In this specification, information that can specify a transmission destination is referred to as an “address”. For example, an IP address may be used as an address, and a combination of an IP address and a port number may be used as an address.
Further, in this specification, a server that provides hardware resources and the like to a virtual machine and on which the virtual machine is operating is referred to as a “host server”.

FIG. 1 is a block diagram of a virtual environment data transfer system 10 according to an embodiment.
The virtual environment data transfer system 10 includes a user LAN 100, a relay LAN 120, and a management LAN 130. The user LAN 100 is a local area network to which a user terminal used by a user who uses a virtual machine such as a developer team belongs, and is separated from the management LAN 130. A server for relaying communication between the user LAN 100 and the management LAN 130 belongs to the relay LAN 120. The management LAN 130 is not disclosed to the user LAN 100 and the address of a server or the like belonging to the management LAN 130 is not disclosed. Composed.

  The user LAN 100 and the relay LAN 120 and the relay LAN 120 and the management LAN 130 are communicably connected via a network such as an intranet, a LAN, a wide area network (WAN), a virtual private network (VPN), and the Internet.

  The user LAN 100 includes a user terminal 102 and a temporary address storage unit 104. The temporary address storage unit 104 stores a temporary address assigned to a host server on which a virtual machine accessed by the user terminal 102 operates. Details of the temporary address will be described later. In FIG. 1, the temporary address storage unit 104 is shown as an external storage device of the user terminal 102, but may be configured as an internal storage device of the user terminal 102. Although one user terminal 102 is shown in FIG. 1, the user LAN 100 may include a plurality of user terminals 102.

The relay LAN 120 includes a data transfer server 122 and an environment management server 124.
The data transfer server 122 transfers a data transfer request such as a screen transfer request (hereinafter also referred to as “screen query”) to the virtual machine sent from the user terminal 102 to the virtual machine, and the screen sent from the virtual machine. Data and the like are transferred to the user terminal 102. The structure of the data transfer server 122 will be described later with reference to FIG.

  The environment management server 124 manages the system environment such as the user LAN 100. The environment management server 124 includes a server in the management LAN 130 and a virtual machine information storage unit 128 that stores information regarding virtual machines running on the server in the management LAN 130.

  The management LAN 130 includes a first host server 132a, a second host server 132b (hereinafter collectively referred to simply as “host server 132”), and an integrated management server 136. In FIG. 1, two host servers 132 are shown. However, the number of host servers 132 is not limited to this. The number of host servers 132 may be an arbitrary number, and may be appropriately set according to the use, load, physical machine performance, and the like. You may decide. The host server 132 is an arbitrary server capable of constructing a virtual environment, and may be a VMware ESX Server (registered trademark), for example.

  The first virtual machine 134a and the second virtual machine 134b are virtually constructed on the first host server 132a, and the third virtual machine 134c and the fourth virtual machine 134d are virtually constructed on the second host server 132b. Has been built. Hereinafter, these virtual machines are collectively referred to as “virtual machine 134”. In FIG. 1, as an example, a configuration in which two virtual machines 134 are running on the host server 132 is shown, but the number of virtual machines 134 is not limited to this, and usage, load, and physical machine performance Depending on the above, it may be determined appropriately.

  The integrated management server 136 manages the host server 132 and the virtual machine 134 in the LAN 130 in an integrated manner. The integrated management server 136 includes a management information storage unit 138 that accumulates and stores information regarding the host server 132 and the virtual machine 134.

  FIG. 2 is a block diagram of the data transfer server 122. The data transfer server 122 transmits a request processing unit 50 that processes a packet such as a request for the virtual machine 134 sent from the user terminal 102, a real address storage unit 56 that stores a real address of the host server 132, and a transmission from the host server 132. A response transfer unit 58 for transferring the received data to the user terminal 102. The request processing unit 50 includes a request receiving unit 60, a first acquisition unit 62, a second acquisition unit 64, a transfer condition determination unit 66, a conversion unit 68, and a request transfer unit 70.

  The request receiving unit 60 receives a packet such as a data transfer request for requesting data transfer from the virtual machine 134 from the user terminal 102. The first acquisition unit 62 acquires, for example, an address composed of a combination of an IP address and a port number from the received packet header, and acquires a higher layer header from the payload. Since the IP address is included in the header of the third layer and the port number is included in the header of the fourth layer, the header of the higher layer corresponds to the header of the fifth layer and higher. The second acquisition unit 64 acquires identification information that identifies the data type that can be included in the data transfer request from the header of the higher layer acquired by the first acquisition unit 62.

  The transfer condition determination unit 66 determines whether the data may be transferred to the host server 132 based on the type of data corresponding to the identification information acquired by the second acquisition unit 64. Conditions for determination will be described later. The conversion unit 68 converts the address acquired by the first acquisition unit into an address for transmission to the host server 132. When the transfer condition determination unit 66 determines that the data may be transferred to the host server 132, the request transfer unit 70 replaces the address included in the packet with the address converted by the conversion unit 68, Transfer to the host server 132. When the transfer condition is not satisfied, the request transfer unit 70 discards the received packet.

  Each block shown in FIG. 1 and FIG. 2 can be realized in hardware by an element such as a CPU of a computer or a mechanical device, and in software by a computer program or the like. Describes functional blocks realized through collaboration. Therefore, those skilled in the art will understand that these functional blocks can be realized in various forms by a combination of hardware and software.

  FIG. 3 is a diagram showing a virtual machine information table 200 stored in the virtual machine information storage unit 128 of the environment management server 124. The virtual machine information table 200 includes a virtual machine host name column 202 and a host server host name column 204. The virtual machine host name column 202 records the host name of each virtual machine 134. The host server host name column 204 records the host name of the host server 132 on which each virtual machine 134 is operating.

  Here, the host names of the first virtual machines 134a to 134d shown in FIG. 1 are vm1 to vm4, respectively, and the host names of the first host servers 132a and 132b shown in FIG. 1 are hsa and hsb, respectively. There is. By referring to the virtual machine information table 200, the host name of the host server 132 on which each virtual machine 134 is operating can be acquired. For example, it can be read from the virtual machine information table 200 that the first virtual machine 134a whose host name is vm1 is a virtual machine constructed on the first host server 132a whose host name is hsa.

  In addition, the virtual machine information table 200 may store a temporary address of the host server 132 in association with the host name of the host server 132, for example. The information recorded in the virtual machine information table 200 is updated to the latest information in synchronization with the update of the information regarding the host server 132 and the virtual machine 134 stored in the management information storage unit 138 of the integrated management server 136.

  FIG. 4 is a diagram showing a temporary address correspondence table 210 stored in the temporary address storage unit 104 of the user LAN 100. The temporary address correspondence table 210 includes a host server host name column 212 and a host server temporary address column 214. The host server host name column 212 records the host name of the host server 132. The host server temporary address column 214 records a temporary address assigned to each host server 132.

  In the virtual environment data transfer system 10, the real addresses of the host server 132 and the virtual machine 134 are not disclosed to the user terminal 102. Instead of the real address of the host server 132, the user terminal 102 uses a temporary address assigned to each host server 132 as a destination when transmitting to the host server 132.

In the example of FIG. 4, a combination of the IP address “X.1.1.1.1” and the port number “XX11” is assigned as a temporary address to the first host servers 132a and 132b having host names hsa and hsb, respectively. It has been. This temporary address is actually the address of the data transfer server 122.
When the user terminal 102 communicates with the first host server 132a, the temporary address that is actually the address of the data transfer server 122 is used as the destination address. Therefore, the user terminal 102 first communicates with the data transfer server 122.

  In FIG. 4, a combination of an IP address “X.10.10.10” and a port number “XX10” is assigned as a temporary address to a host server (not shown) whose host name is hsc. This temporary address is an address of another data transfer server (not shown). When the user terminal 102 communicates with a host server whose host name is hsc, the user terminal 102 communicates via the data transfer server. .

  In the example of FIG. 4, both the IP address and the port number are recorded in the temporary address correspondence table 210 as the temporary address assigned to the host server. It may not be recorded in the temporary address correspondence table 210 as a fixed value. For example, the port number determined by the data transfer server 122 may be notified from the data transfer server 122 to the user terminal 102 every time communication is performed.

  FIG. 5 is a diagram showing the host server real address table 230 stored in the real address storage unit 56 of the data transfer server 122. The host server real address table 230 includes a host server host name column 232 and a host server real address column 234. The host server host name column 232 records the host name of each host server. The host server real address column 234 records the real address of each host server.

  In the example of FIG. 5, the combination of the IP address “X.2.2.2.2” and the port number “443” is recorded as the real address of the first host server 132a whose host name is hsa. Further, a combination of the IP address “X.2.2.3” and the port number “443” is recorded as the real address of the second host server 132b whose host name is hsb.

  When transferring the packet received from the user terminal 102 to the host server 132, the data transfer server 122 refers to the host server real address table 230 and replaces the address of the received packet with the real address of the host server 132. And send.

The operation according to the above configuration is as follows.
FIG. 6 is a flowchart illustrating a procedure in which a screen query is transferred from the user terminal 102 to the first host server 132a, and a screen of the first virtual machine 134a is transferred from the first host server 132a to the user terminal 102. .

  For example, when the user terminal 102 is instructed to display the screen of the first virtual machine 134a via an input device (not shown), the user terminal 102 generates a screen query that requests to transfer the screen of the first virtual machine 134a. (S10). The user terminal 102 includes “vm1” that is the host name of the virtual machine in the generated screen query, and transmits it to the environment management server 124 (S12).

  The environment management server 124 refers to the virtual machine information table 200 stored in the virtual machine information storage unit 128 and reads the host name “hsa” associated with “vm1” that is the host name of the first virtual machine 134a. (S14). “Hsa” is the host name of the first host server 132a. The environment management server 124 transmits the read host name “hsa” to the user terminal 102 (S16).

  The user terminal 102 refers to the temporary address correspondence table 210 stored in the temporary address storage unit 104, and acquires the temporary address assigned to the first host server 132a (S18). In the example of FIG. 4, the user terminal 102 uses a combination of the IP address “X.1.1.1.1” and the port number “XX11” associated with the host name “hsa” acquired from the environment management server 124. Obtained as a temporary address of the first host server 132a. The user terminal 102 treats the read temporary address as the address of the first host server 132a. That is, when transmitting the screen query of the first virtual machine 134a to the first host server 132a, the user terminal 102 transmits it to the IP address “X.1.1.1.1” and the port number “XX11”.

  Here, the screen query transmitted by the user terminal 102 includes “vm1” that is the host name of the first virtual machine 134a and the host name “hsa” of the first host server 132a on which the virtual machine 134 is operating. Since the IP address “X.1.1.1.1” and the port number “XX11” which are temporary addresses are actually addresses of the data transfer server 122, the user terminal 102 sends a screen query to the data transfer server 122. It is transmitted to the address (S20).

  In the data transfer server 122, a request transfer process is performed (S22). The request transfer process will be described later with reference to FIG. The data transfer server 122 transmits a screen query to the first host server 132a (S24). The screen query sent to the first host server 132a includes the host name “vm1” of the first virtual machine 134a.

  When receiving the screen query from the data transfer server 122, the first host server 132a acquires the requested screen data of the first virtual machine 134a (S26). For example, the first host server 132a acquires screen data of the first virtual machine 134a in advance, stores it in a storage unit (not shown), and acquires screen data from the storage unit when a screen query is received. . Then, the first host server 132a transmits the acquired screen data to the data transfer server 122 (S28).

  The response transfer unit 58 of the data transfer server 122 receives the screen data from the first virtual machine 134a and transfers it to the user terminal 102 (S30). The user terminal 102 receives the screen data from the data transfer server 122, and displays the screen of the first virtual machine 134a on a display device (not shown) based on the received screen data (S32).

FIG. 7 is a flowchart showing the request transfer processing procedure of step 22 of FIG.
First, the request receiving unit 60 of the data transfer server 122 receives a packet from the user terminal 102 (S40). The first acquisition unit 62 acquires an address from the header of the received packet (S42). The address is composed of, for example, a combination of an IP address included in the third layer IP header and a port number included in the fourth layer TCP header. Here, it is assumed that the IP address included in the header is “X.1.1.1” and the port number included in the header is “XX11”.

  The first acquisition unit 62 also acquires a header of a layer higher than the layer to which the header from which the address has been acquired belongs from the payload of the received packet (S44). For example, if the layer to which the header from which the address is acquired belongs is the third layer and the fourth layer, the headers of the fifth and higher layers, which are higher layers than this, are acquired.

  The second acquisition unit 64 acquires identification information for specifying any of a plurality of types of data that can be included in the packet, from the header acquired by the first acquisition unit 62 from the payload (S46). Examples of a plurality of types of data that can be included in a packet include data related to screen transfer such as a screen query and screen data itself, and a command for operating the host server 132. The identification information for specifying any of the plurality of types of data is, for example, information that can identify whether the data is related to screen transfer or other data. This identification information may be determined in advance by the data transfer server 122 and notified to the user terminal 102.

  Based on the identification information acquired by the second acquisition unit 64, the transfer condition determination unit 66 determines whether the type of data that can be included in the received packet satisfies a transfer condition for permitting packet transfer. (S48). For example, this transfer condition defines that the data included in the received packet is data related to a screen query or screen transfer as a condition for permitting transfer of the packet to the host server 132. That is, when the type of data included in the received packet is management information including an instruction to the host server 132 not related to the screen, transfer is not permitted. If the transfer condition is not satisfied, the received packet is discarded (S50).

  The conversion unit 68 converts the address acquired by the first acquisition unit into an address for transmission to the host server 132 (S52). For example, at least an IP address is converted into another IP address among addresses composed of a combination of an IP address and a port number acquired by the first acquisition unit 62. Specifically, the conversion unit 68 refers to the host server real address table 230 and based on the host name “hsa” of the first host server 132a, the IP address “X. A combination of “2.2.2” and port number “443” is read. Then, “X.1.1.1.1” extracted from the header of the screen query by the first acquisition unit 62 is converted into a real address “X.2.2.2” of the first host server 132a.

  When the port number acquired by the first acquisition unit 62 is different from the port number used for communication between the data transfer server 122 and the host server 132, the conversion unit 68 converts the port number between the data transfer server 122 and the host server 132. It is converted into a port number used for communication between. The port number used for communication between the data transfer server 122 and the host server 132 is fixed to one. For example, it is fixed to 443 port for https communication. In this example, since the port number “XX11” acquired by the first acquisition unit 62 does not match 443, the data transfer server 122 converts the port number to 443.

When the type of data included in the packet satisfies the transfer condition, the request transfer unit 70 converts the combination of the IP address and the port number included in the screen query into the combination of the IP address and the port number converted by the conversion unit 68. (S54). In this embodiment, the combination of the IP address “X.1.1.1.1” and the port number “XX11” is replaced with the combination of the IP address “X.2.2.2” and the port number “443”.
Then, the request transfer unit 70 transfers the screen query to the host server 132 according to the replaced address (S56), and the request transfer process ends.

As described above, according to the virtual environment data transfer system 10 according to the present invention, it is possible to transmit a screen query from the user terminal 102 to the virtual machine 134 without connecting the user terminal 102 directly to the host server 132. It is possible to transfer the screen of the virtual machine 134 to the user terminal 102.
In the user terminal, the real addresses of the virtual machine 134 and the host server 132 are not recorded and are not notified. Therefore, even if a malicious user tries to access the management LAN 130 that is not disclosed from the user terminal 102, the malicious user cannot know the real addresses of the virtual machine 134 or the host server 132 and accesses the management LAN 130. I can't.

In addition, since the data transfer server 122 can check the data type of the packet transmitted from the user terminal 102, it is data other than the predetermined data related to the screen, such as a screen query or a transfer screen. It is possible to perform a filtering process that does not allow a packet determined to pass through.
Therefore, virtualized resources can be used in a more secure environment.

  Further, since the environment management server 124 that can be connected to the management information storage unit 138 of the integrated management server 136 updates and manages the virtual machine information table 200, the latest information can always be provided to the user terminal 102. For example, even when the system configuration is changed in the management LAN 130 and the virtual machine 134 is moved to another host server 132, the latest information can be provided.

  The present invention has been described based on the embodiments. The embodiments are exemplifications, and it will be understood by those skilled in the art that various modifications can be made to combinations of the respective constituent elements and processing processes, and such modifications are within the scope of the present invention. .

  For example, in the embodiment, the user terminal 102 requests screen transfer from the virtual machine 134 and the data transfer server 122 transfers screen data as a response to the user terminal 102. However, the information requested by the user terminal 102 is not limited to screen data, and may be data other than the screen, such as voice, or a combination of screen data and other data. The user terminal 102 uses the virtual machine 134. It may be any data that is necessary for the operation. For example, it may be a combination of an HTML document, an image associated with the document, sound, a moving image, or the like.

  In step 18 of the flowchart of FIG. 6, the user terminal 102 reads the temporary address from the temporary address correspondence table 210, but instead, the user terminal 102 acquires the temporary address from the environment management server 124. Also good.

  In this case, the virtual machine information table 200 of the environment management server 124 further records the host name of the host server and its temporary address in association with each other. In step 14, the environment management server 124 reads the temporary address assigned to the first host server 132a in addition to the host name “hsa” of the first host server 132a. In step 16, the environment management server 124 transmits the temporary address assigned to the first host server 132a to the user terminal 102 together with the host name of the first host server 132a.

  In this case, the user terminal 102 does not need to perform the reading in step 18. In step 20, the user terminal 102 transmits the screen query of the first virtual machine 134 a to the data transfer server 122 according to the temporary address acquired from the environment management server 124. Thereafter, the screen query is transferred to the first virtual machine 134a in the same procedure as in FIG. 6, and the screen data of the first virtual machine 134a is transferred from the first host server 132a to the user terminal 102.

  According to this modification, since the temporary address of the first host server 132a is acquired from the environment management server 124, the user terminal 102 does not need to hold the temporary address correspondence table 210, and updates the temporary address correspondence table 210. There is no need to manage.

  Further, in steps 12 to 16 of the flowchart of FIG. 6, the user terminal 102 acquires the host name of the first host server 132a from the environment management server 124, but the host name of the first host server 132a is The user terminal 102 may acquire the information in advance and read it out as necessary. In this case, the process (S12 to S16 in FIG. 6) for making an inquiry to the environment management server 124 and acquiring the host name of the first host server 132a is unnecessary.

  In this case, the temporary address storage unit 104 of the user terminal 102 holds the virtual machine information table 200 in addition to the temporary address correspondence table 210. First, the user terminal 102 reads the host name of the first host server 132a on which the first virtual machine 134a operates by referring to the virtual machine information table 200 based on the host name of the first virtual machine 134a to be accessed. Next, the user terminal 102 refers to the temporary address correspondence table 210 based on the host name of the first host server 132a, and reads the temporary address of the first host server 132a (S18). After step 20, the screen query is transmitted to the first virtual machine 134a and the screen data of the first virtual machine 134a is transferred to the user terminal 102 in the same procedure as in FIG.

  According to this modification, since the virtual environment data transfer system 10 can be constructed without the environment management server 124, virtualized resources can be used more easily in a secure environment.

  10 virtual environment data transfer system, 50 request processing unit, 58 response transfer unit, 60 request reception unit, 62 first acquisition unit, 64 second acquisition unit, 66 transfer condition determination unit, 68 conversion unit, 70 request transfer unit, 100 User LAN, 102 User terminal, 104 Temporary address storage unit, 120 Relay LAN, 122 Data transfer server, 124 Environment management server, 128 Virtual machine information storage unit, 130 Management LAN, 132 Host server, 134, 136 Integrated management server, 138 Management information storage unit.

Claims (5)

A host server,
A virtual machine running on the host server;
A data transfer server connected to the host server;
A user terminal connected to the data transfer server and transmitting a data transfer request for requesting transfer of data created by the virtual machine to the data transfer server;
The data transfer server is
A first acquisition unit that acquires a first combination of an IP address and a port number from a header of the data transfer request, and acquires a header of a layer higher than a layer to which the header belongs from a payload of the data transfer request; ,
A second combination of a fixed port number and another IP address is generated by converting at least an IP address of the first combination acquired by the first acquisition unit into another IP address. A conversion unit;
Acquire identification information included in the header of the upper layer acquired in the first acquisition unit and for identifying any of a plurality of types of data that can be included in the data transfer request A second acquisition unit;
A transfer condition determination unit that determines whether the type of data corresponding to the identification information acquired in the second acquisition unit satisfies a transfer condition for permitting transfer of the data transfer request;
A request transfer unit that replaces the first combination included in the data transfer request with the second combination and transfers the data transfer request to the host server when the data type satisfies the transfer condition; A virtual environment data transfer system characterized by the above. An environment management server including a virtual machine information storage unit that stores the host name of the virtual machine and the host name of the host server in association with each other;
The user terminal includes a temporary address storage unit that stores an address that is a first combination of an IP address and a port number of the data transfer server and a host name of the host server, and the virtual machine includes When an instruction to transfer the created data is input by the user, the host name of the virtual machine is acquired by transmitting the host name of the virtual machine to the environment management server, and the host name of the host server is acquired from the temporary address storage unit. 2. The virtual environment data transfer system according to claim 1, wherein an address is read and the data transfer request is transmitted to the data transfer server. An environment management server including a virtual machine information storage unit that stores an address that is a first combination of an IP address and a port number of the data transfer server and a host name of the virtual machine;
When the user inputs an instruction to transfer data created by the virtual machine, the user terminal sends the host name of the virtual machine to the environment management server, acquires the address of the data transfer server, The virtual environment data transfer system according to claim 1, wherein the data transfer request is transmitted to a data transfer server.   4. The virtual environment data transfer system according to claim 1, wherein the data transfer request is a screen transfer request for requesting the host server to transfer a screen of the virtual machine. A data transfer device connected to a user terminal and a host server on which a virtual machine runs,
A request receiving unit that receives a data transfer request for requesting transfer of data created by the virtual machine from the user terminal;
A first acquisition unit that acquires a first combination of an IP address and a port number from a header of the data transfer request, and acquires a header of a layer higher than a layer to which the header belongs from a payload of the data transfer request; ,
A second combination of a fixed port number and another IP address is generated by converting at least an IP address of the first combination acquired by the first acquisition unit into another IP address. A conversion unit;
Acquire identification information included in the header of the upper layer acquired in the first acquisition unit and for identifying any of a plurality of types of data that can be included in the data transfer request A second acquisition unit;
A transfer condition determination unit that determines whether the type of data corresponding to the identification information acquired in the second acquisition unit satisfies a transfer condition for permitting transfer of the data transfer request;
A request transfer unit that replaces the first combination included in the data transfer request with the second combination and transfers the data transfer request to the host server when the data type satisfies the transfer condition; A virtual environment data transfer device.

Images